SBIR-STTR Award

A software tool is proposed for automatically executing both vulnerability and malicious code analyses against both binary and source code files. The analysis tools may be selectively applied, supporting a wide assortment of analysis and verification activities for code targeted at multiple hardware platform types. The proposed concept provides decision support for combining the results of multiple analyses into a recommendation for further action. Potential recommendations include approving the code for integration, pursuing more detailed analysis, forwarding the code for remediation, and rejecting the code. The innovation of the proposed concept is the integration and automation of multiple verification and analysis functions which can increase the trust levels in third-party software. The capacity to verify virtually all third-party software as free of security vulnerabilities and malicious code raises the bar for trustworthiness. Far more comprehensive analyses can be performed in a much more efficient process, thereby ensuring trustworthiness on a much greater scale.

Keywords:
Software Analysis, Code Analysis, Malicious Code, Binary Code, Source Code, Source Code Analysis, Software Threat Mitigation

The Sentar veriScan tool is a software assurance product for analyzing and assessing both source and binary software files for the presence of program vulnerabilities, coding weaknesses, and malicious intent. VeriScan automates the execution of a critical mass of analysis programs for verifying large scale, implicitly trusted software systems; performs risk assessments; reports on those risks in the face of reuse; and provides decision support to enable the mitigation of any risks identified. VeriScan provides unique software assurance capabilities not typically found in commercial software products, including: 1) analysis of both source and binary files, 2) analysis for both known and previously undiscovered malware, 3) an integrated risk assessment of potentially conflicting analysis results, and 4) detection of classified information spillage in source code comments or in variable and function names. These capabilities combined make veriScan a far more comprehensive tool than current commercial tools and products. When comparing the utility of veriScan with commercial products, veriScan requires little training to use and targets a much lower price point for user licensing fees. Approved for Public Release 14-MDA-7739 (18 March 14).

Keywords:
Software assurance, software supply chain, static analysis, malware analysis, risk assessment, decision support, classified information spillage, vulnerabilities and weaknesse